The Honeynet Project recently released a new "Know Your Enemy" paper that describes how project affiliates gained new insight into credit card fraud. The paper describes how an intruder infiltrated a honeypot and used it to connect to IRC channels that were used to promote credit card fraud.

Because the honeypot was connected through an IRC proxy to the Dalnet IRC network, those monitoring the honeypot could observe activity on more than a dozen IRC channels relating to credit card fraud. Among the details learned were that the exploitation of stolen credit cards is being automated by sophisticated IRC bots that help malicious users automate a variety of activities related to their exploits.

The paper states that, "The end result is that for worldwide participants on these IRC channels, many of the technical and logistical barriers to large-scale online identity theft and subsequent credit card fraud have been removed."

Thieves could use the bots to obtain lists of merchant Web sites known to be vulnerable to credit card fraud, lists of URLs to compromise merchant Web sites, and lists of stolen identities. Information is transmitted in clear text over the monitored IRC channels and thieves frequently use proxy servers to help hide their real origin. Thieves used Bot commands to obtain lists of open proxies.

The bots also allow verification of credit card numbers to ensure the numbers are valid and can also determine which bank issued a card. Credit cards carry a card verification number, which is a three-digit numeric code printed on the back of cards. Typically, merchants use the card verification number to help determine whether a person is in actual of possession of the card, however, the bots also provide commands that can verify a card's verification number. Other commands let thieves determine the available credit card limit. The paper says that these two factors indicate that intruders have compromised actual credit card networks.

The honeypot monitors also observed fraudulent vendors offering to sell lists of credit card information to people willing to pay for it. For example, one captured IRC message said, "Hi all, i work in the LaTourista hotel here in Peru and i have access to all ccs with full info, im looking for paypal, anyone interested ??? msg me !!! i verify first!" Another captured message said, "i work at a credit card collection agancy and we get there banking information i need someone to drop money in and send me half we split 50/50 ... "

The paper points out that "there is also a significant cultural component to these channels and websites. Lurkers and newbies are frequently recruited by active users and moderators to use the tools to commit what may be their first financial crimes. Supporting material found in related Web sites promotes 'carding' as an alternative lifestyle choice rather than criminal activity."

After monitoring the IRC activities and gathering evidence, the monitoring group notified the FBI of its findings. The IRC channels and related Web site that the thieves used have since been shutdown; however, there's no reason to think that fraud doesn't occur in other area of the Internet.

You can read about the discoveries in the Honeynet Project's PDF document located on its Web site.

The Honeynet Project, launched in 1999, is a four-phase project. In 2003, the project is working on Phase III; it will create a "bootable CD-ROM that boots into a Honeynet gateway, or Honeywall. Once booted, all you have to do is place your target systems behind this gateway. This bootable device will have all the Data Control and Data Capture requirements defined in our paper Know Your Enemy: Honeynets. This will standardize Honeynets and make them easier to deploy. In addition, these bootable devices will have the option of logging to a central system, enabling the deployment of distributed Honeynets. The goal is to develop this technology and post it on the Honeynet website as a downloadable .iso image, free to the public."

Be sure to visit the project's Web site to learn more about the project and how you too can participate.